New company finds holes in raw code

New company finds holes in raw code - 04/06/0401:54 AM

A new company hopes to make life a lot harder for malicious hackers, releasing technology that analyzes computer code for security violations and enforces secure coding practices

Fortify Software Inc., a startup company based in Menlo Park, California, plans to unveil two new product suites on Monday, one to inspect source code written in the C++ and Java programming languages, the other to probe security holes in software applications, the company said.

The new products give companies a way to strengthen software applications against attack by spotting and removing common vulnerabilities like buffer overflows, format string errors and unchecked input from the product code early in the development process, said Mike Armistead, Fortify Vice President of Marketing.

At the heart of Fortify's products is technology called "extended static checking" that analyzes the properties of software code rather than the behavior of the finished program, said Brian Chess, chief scientist at Fortify.

Most source code analysis products work by trying to "stimulate" finished software applications with long lists of data and produce an invalid response. Extended static checking enables Fortify's products to enumerate all the paths in computer code that can take action or "execute," quickly spot sensitive areas in the computer code, then determine the exact limits of the vulnerability, he said.

That makes Fortify's product different from those of competitors such as Sanctum Inc. and SPI Dynamics Inc., said Theresa Lanowitz, research director at Gartner Inc.

"Fortify tackled this problem of security at the application level from a developer perspective only," she said.

Fortify Source Code Analysis is a suite of products that includes the Fortify Developer Toolkit and Fortify Source Code Analysis Server that compare code to a list of more than 500 vulnerabilities published by software quality management company Cigital Inc.

The Developer Toolkit is a desktop application that runs on Linux and Windows desktops and works with leading Integrated Development Environments (IDEs) to pinpoint security vulnerabilities early on, as code is being written and tested, Armistead said.

"The developer gets output that looks like output from a compiler," he said. For example, the Fortify Developer Toolkit might spot the developer using a software function that is known to introduce security risks.

"Instead of a compiler error saying 'I can't parse this,' developers will get a Fortify error saying that they're using a dangerous function, why not to use it and here's what could happen if you do use it," Chess said. "The idea is that just because a program compiles correctly, it's not necessarily a good program. So if the security checker doesn't like the program, you need to fix it."

The Analysis Server is another component of the Fortify Source Code Analysis product that analyzes software code for vulnerabilities and security flaws during "integration builds," when the work of multiple developers is knitted together, Armistead said.

The Analysis Server can analyze input as it flows through code to spot vulnerabilities where external input is digested by software functions, enabling the product to spot vulnerabilities that might not exist in a discrete segment of code, but pop up when combined with other vulnerable components, Chess said.

Also on Monday, Fortify will announce an application to analyze finished software applications before they are deployed.

Fortify Red Team Workbench is a penetration testing tool that uses both static analysis and dynamic analysis to probe security holes in running applications. The product can simulate sophisticated hacks and malicious behavior and works with quality assurance tools such as Mercury Interactive Corp.'s LoadRunner and the open source JUnit Java testing framework, Fortify said.

The idea is to make "red teams" that take the role of hackers to test application security more effective by providing them with powerful, automated tools, Armistead said.

The idea of applying security at the application development level is still nascent, but is gaining in popularity, Lanowitz said.

"The industry has to make sure that development groups understand the importance of security at the application level. ...Vendors will help with this problem by delivering content to the developers to help them ... focus on (security) at the application and source code level," she said.

New Vine Logistics Inc. of American Canyon, California, a third-party logistics company serving the wine industry, has also been evaluating the Fortify technology, said Pierre Tehrany, vice president of technology at New Vine.

New Vine has a staff of five software developers who write custom Web applications and business logic for the company, which handles inventory controls, order processing and financial information flows for wineries selling directly to consumers in 42 states, or to major distributors and other supply-chain partners, he said.

"It's critical that we're stable, that there's data integrity and that data is secure and only seen by our customers," Tehrany said.

New Vine has tested both the Developer Toolkit and Source Code Analysis Server. While the products didn't turn up any glaring security holes, they did discover problems that New Vine's development team missed and probably wouldn't have found, he said.

More importantly, the tools relieved developers of the need to become experts on security vulnerabilities, he said.

"(Fortify) tells the developers what's wrong and right, and gives them suggestions on how to fix it. I feel like I can close up or prevent vulnerabilities without having to have software engineers invest in (security) training or hire somebody," he said.